Attachment: HTML with obfuscation and recipient's email in JavaScript strings

calendar Aug 29, 2023  ·
Share on: linkedin copy

Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript

Sublime rule (View on GitHub)

 1name: "Attachment: HTML with obfuscation and recipient's email in JavaScript strings"
 2description: |
 3    Attached HTML file contains JavaScript code with suspicious identifiers like 'atob' or 'decrypt', as well as the recipient's email address embedded within the JavaScript
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ ("html", "htm", "shtml", "dhtml")
11            or (
12              .file_extension is null
13              and .file_type == "unknown"
14              and .content_type == "application/octet-stream"
15              and .size < 100000000
16            )
17            or .file_extension in~ $file_extensions_common_archives
18            or .file_type == "html"
19          )
20          and any(file.explode(.),
21                  // suspicious identifiers
22                  any(.scan.javascript.identifiers, strings.like(., "atob", "decrypt"))
23                  // Recipients address found in javascript
24                  and any(recipients.to,
25                          any(..scan.javascript.strings, strings.icontains(., ..email.email))
26                  )
27          )
28  )   
29attack_types:
30  - "Credential Phishing"
31tactics_and_techniques:
32  - "HTML smuggling"
33  - "Scripting"
34detection_methods:
35  - "Archive analysis"
36  - "File analysis"
37  - "HTML analysis"
38  - "Javascript analysis"
39id: "1aff486b-527c-597c-9ca9-3be37210fd97"
to-top